The current social media frenzy is clearly buzzing around #BlackLivesMatter and that has spawned a myriad of copycats ranging from #AllLivesMatter to #MyCatMatters. So, not to be outdone and certainly not to diminish the importance of those previously mentioned social media movements, we would like to offer a sentiment directed to the c-suite in enterprises to better understand the emergence of new roles in the security department. Specifically, #DevSecOpsMatter.
In order to understand why DevSecOps matter, we first need to better understand what this role does relative to DevOps and the rest of the IT Security department. DevOpsZone offer a nice explanation of the differences between DevOps and DevSecOps:
“A DevOps process melds the development and operation staff into a unified entity with the shared goal of creating software more efficiently. This streamlines processes by having all stakeholders working together throughout development. Changes that would have to have been communicated to the operations team by the former developers are now holistically incorporated into team procedures.”
And the article goes on to say:
“DevSecOps takes this concept to its logical next level by incorporating security into the mix. Secure DevOps is often accomplished by adding security considerations to an existing DevOps team. Whether instituted from scratch in a new team or incorporated into a viable DevOps environment, the idea is that everyone involved in the development and maintenance of a software solution is responsible for its security.”
The obvious value of DevSecOps is to ensure no security vulnerabilities are unknowingly coded into apps, on premise infrastructure or IoT or cloud. The cost of missing even one item can be devastating to your organization.
poor coding = security breach vulnerability
Headlines like “‘BlueLeaks’ Exposes Files from Hundreds of Police Departments”, “Oh Yes! its War, the Other War, the Cyber War!”, “350,000 Social Media Influencers and Users at Risk Following Data Breach” and “With ransomware attacks increasing, cyber insurance now seen as a necessity, not a luxury” are still clogging newsfeeds with doom and gloom reports on how cybercriminals are leveraging coding missteps for monetary gain.
The best lesson to use as an example of what not to do comes from how the CIA handled the wikileaks problem. KrebsOnSecurity reported in a blog titled “When Security Takes a Backseat to Productivity”:
“The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:
- Failing to rapidly detect security incidents.
- Failing to act on warning signs about potentially risky employees.
- Moving too slowly to enact key security safeguards.
- A lack of user activity monitoring or robust server audit capability.
- No effective removable media controls.
- No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
- Historical data available to all users indefinitely.
Substitute the phrase “cyber weapons” with “productivity” or just “IT systems” in the CIA’s report and you might be reading the post-mortem produced by a security firm hired to help a company recover from a highly damaging data breach.”
This is another reason why DevSecOps should be a corporate imperative and #DevSecOpsMatter the next IT security social media battle cry.
devsecops as a corporate imperative
Building out your own DevsecOPs requires you partner with the right organizations to fill in the gaps for security assessments and ongoing training on the latest and greatest techniques to ensure there are no vulnerabilities coded into specific applications or infrastructures.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
Why wait to become a statistic, or even worse, the next headline reporting a major breach? Schedule a consultation today.